A  Family  of  Collusion  Resistant  Protocols  for 
Instantiating  Security 


Sandeep  S.  Kulkarni  Bruhadeshwar  Bezawada 
Department  of  Computer  Science  and  Engineering 
Michigan  State  University 
East  Lansing  MI  48824 


Mohamed  G.  Gouda 
Department  of  Computer  Science 
The  University  of  Texas  at  Austin 
Austin,  TX  78712 


Abstract 

In  this  paper,  we  focus  on  the  problem  of  identifying  a  family  of  collusion  resistant  protocols  that 
demonstrate  a  tradeoff  between  the  number  of  secrets  that  users  maintain  and  the  level  of  collusion 
resistance.  Towards  this  end,  we  define  the  classes  of  collusion  resistant  protocols  (modeled  along  the 
complexity  classes  in  algorithmic  complexity)  and  evaluate  the  membership  of  existing  protocols  as 
well  as  the  protocols  in  the  proposed  family  for  membership  in  these  classes.  We  also  show  that  this 
family  contains  existing  protocols  for  instantiating  security. 

Keywords  :  Security,  Instantiating  security,  Scalability,  Collusion  Resistance 


1  Introduction 

One  way  to  achieve  security,  including  authentication  and  privacy,  is  to  require  that  the  sender  and 
receiver  share  a  common  secret  that  no  other  user  in  the  network  knows.  An  impediment  in  providing 
1Email:  sandeep@cse.msu.edu,  bezawada@cse.msu.edu,  gouda@cs.utexas.edu 
Web:  http : //www . cse.msu.edu/~fsaudeep , bezawada},  http : //www. cs .utexas . edu/~gouda 
Tel:  +1-517-355-2387 

This  work  was  partially  sponsored  by  NSF  CAREER  CCR-0092724,  DARPA  Grant  OSURS01-C-1901,  ONR  Grant 
N00014-01- 1-0744,  NSF  grant  EIA-0130724,  and  a  grant  from  Michigan  State  University. 


1 


Report  Documentation  Page 

Form  Approved 

OMB  No.  0704-0188 

Public  reporting  burden  for  the  collection  of  information  is  estimated  to  average  1  hour  per  response,  including  the  time  for  reviewing  instructions,  searching  existing  data  sources,  gathering  and 
maintaining  the  data  needed,  and  completing  and  reviewing  the  collection  of  information.  Send  comments  regarding  this  burden  estimate  or  any  other  aspect  of  this  collection  of  information, 
including  suggestions  for  reducing  this  burden,  to  Washington  Headquarters  Services,  Directorate  for  Information  Operations  and  Reports,  1215  Jefferson  Davis  Highway,  Suite  1204,  Arlington 

VA  22202-4302.  Respondents  should  be  aware  that  notwithstanding  any  other  provision  of  law,  no  person  shall  be  subject  to  a  penalty  for  failing  to  comply  with  a  collection  of  information  if  it 
does  not  display  a  currently  valid  OMB  control  number. 

1.  REPORT  DATE 

2QQ£  2.  REPORT  TYPE 

3.  DATES  COVERED 

00-00-2006  to  00-00-2006 

4.  TITLE  AND  SUBTITLE 

A  Family  of  Collusion  Resistant  Protocols  for  Instantiating  Security 

5a.  CONTRACT  NUMBER 

5b.  GRANT  NUMBER 

5c.  PROGRAM  ELEMENT  NUMBER 

6.  AUTHOR(S) 

5d.  PROJECT  NUMBER 

5e.  TASK  NUMBER 

5f.  WORK  UNIT  NUMBER 

7.  PERFORMING  ORGANIZATION  NAME(S)  AND  ADDRESS(ES) 

Michigan  State  University, Department  of  Computer  Science  and 
Engineering, East  Lansing, MI, 48824 

8.  PERFORMING  ORGANIZATION 

REPORT  NUMBER 

9.  SPONSORING/MONITORING  AGENCY  NAME(S)  AND  ADDRESS(ES) 

10.  SPONSOR/MONITOR'S  ACRONYM(S) 

11.  SPONSOR/MONITOR'S  REPORT 
NUMBER(S) 

12.  DISTRIBUTION/AVAILABILITY  STATEMENT 

Approved  for  public  release;  distribution  unlimited 

13.  SUPPLEMENTARY  NOTES 

14.  ABSTRACT 

15.  SUBJECT  TERMS 

16.  SECURITY  CLASSIFICATION  OF:  17.  LIMITATION  OF 

18.  NUMBER  19a.  NAME  OF 

a.  REPORT  b.  ABSTRACT  c.  THIS  PAGE 

unclassified  unclassified  unclassified 

20 

Standard  Form  298  (Rev.  8-98) 

Prescribed  by  ANSI  Std  Z39-18 


such  security  is  the  issue  of  collusion  among  users.  Specifically,  if  a  group  of  users  collude  then  they 
can  combine  their  collection  of  secrets  and  attempt  to  foil  the  security  of  the  communication  among  the 
remaining  users.  One  way  to  achieve  such  collusion  resistance  is  to  use  the  full  secret  protocol,  where  each 
pair  of  users  maintains  a  unique  secret  that  only  known  to  those  two  users.  With  such  an  approach,  the 
collusion  among  some  users  does  not  affect  the  remaining  users.  However,  in  this  approach,  the  number 
of  secrets  that  users  maintain  is  n  —  1,  and  it  is  difficult  to  maintain  these  secrets  if  the  number  of  users 
is  large  or  the  user  capability  is  low  (e.g.,  in  ad-hoc  networks  and  sensor  networks). 

Another  protocol  in  this  context  is  the  square  grid  protocol  from  [1]  (recalled  in  Section  2.1).  This 
protocol  guarantees  security  in  the  absence  of  collusion  while  maintaining  only  0(y/n)  secrets  per  user. 
Specifically,  it  guarantees  that  when  two  users  communicate,  the  collection  of  secrets  they  use  is  such  that 
no  other  user  knows  all  secrets  in  that  collection.  However,  other  users  may  know  (different)  subsets  of 
this  collection  of  secrets.  Hence,  the  collusion  among  such  users  can  compromise  the  security  between  a 
pair  of  users.  Also,  in  this  protocol,  a  small  group  of  colluding  users  can  significantly  degrade  the  ability 
of  others  to  communicate  securely. 

Since  the  number  of  secrets  maintained  by  the  square  grid  protocol  is  within  a  constant  factor  of  optimal 
[1]  for  any  protocol  that  provides  security  in  the  absence  of  collusion  and  the  level  of  collusion  resistance 
of  the  full  secret  protocol  is  as  good  as  it  gets,  we  focus  on  the  question  of  tradeoff  between  number  of 
secrets  maintained  by  users  and  the  corresponding  collusion  resistance. 

Contributions  of  the  paper. 

•  We  propose  a  family  of  collusion  resistant  protocols  where  the  level  of  collusion  resistance  is  pro¬ 
portional  to  the  number  of  secrets  that  users  maintain. 

•  We  formally  define  the  notion  of  collusion  resistance.  Using  this  definition,  we  identify  classes 
of  collusion  resistant  protocols.  We  evaluate  the  membership  of  existing  protocols  as  well  as  the 
protocols  in  the  proposed  family  in  these  collusion  resistance  classes. 

•  While  the  proposed  family  of  collusion  resistant  protocols  is  based  on  the  square  grid  protocol 
from  [1],  we  show  that  other  variations  of  the  square  grid  protocol  cannot  be  used  to  obtain  such 
a  family. 


2 


Organization  of  the  paper.  In  Section  2,  we  consider  the  related  work  and  recall  the  square 
grid  protocol  from  [1],  Then,  in  Section  3,  we  define  what  we  mean  by  collusion  resistance  of  a  secret 
distribution  protocol.  Using  this  definition,  in  Section  4,  we  define  collusion  resistance  classes.  In  Section 
5,  we  identify  the  constraints  that  should  be  met  in  order  to  identify  a  family  of  collusion  resistant 
protocols.  Using  these  constraints,  in  Section  6,  we  present  our  family  of  collusion  resistant  protocols. 
Finally,  in  Section  7,  we  present  simulation  results  and  conclude  in  Section  8. 

2  Classification  of  Protocols  for  Instantiating  Security 

The  approaches  for  instantiating  security  can  be  broadly  classified  in  terms  of  those  that  use  asymmetric 
keys  (e.g.,  public/private  key)  and  those  that  use  symmetric  keys.  In  the  former  approach  (e.g.,  [2-4]), 
certificates  are  used  and  initially  each  user  is  provided  with  a  certificate  signed  by  a  trusted  authority. 
However,  this  solution  requires  high  computing  power  (100-1000  times  when  compared  with  symmetric 
keys).  For  this  reason,  we  focus  on  solutions  that  use  shared  secrets  instead  of  certificates. 

The  approaches  for  providing  security  with  shared  secrets  can  be  further  classified  in  terms  of  (1)  avail¬ 
ability  (or,  the  lack  thereof)  of  a  trusted  server  during  communication  between  users ,  and  (2)  trust  (or, 
the  lack  thereof)  in  the  intermediate  users  that  may  be  required  to  facilitate  routing  of  messages  between 
communicating  users. 

Existing  protocols  such  as  [5-9]  are  designed  for  systems  where  a  trusted  server  is  available  when  two  users 
need  to  communicate.  However,  in  many  systems,  this  approach  is  undesirable  (respectively,  impossible) 
as  no  trusted  server  is  available  when  two  users  need  to  communicate  with  each  other.  The  protocols  in 
the  proposed  family  assume  that  a  trusted  server  is  unavailable  when  users  need  to  communicate. 

Also,  other  protocols  have  been  designed  where  intermediate  users  are  trusted.  These  protocols  include 
[10-13].  Since  the  intermediate  users  are  trusted,  if  two  non-neighboring  users  need  to  communicate, 
they  route  the  messages  through  the  intermediate  users  that  decrypt  and  re-encrypt  the  message.  Thus, 
it  suffices  that  the  communicating  users  share  a  path  such  that  every  user  on  the  path  shares  a  secret 
with  its  predecessor  and  its  successor.  However,  in  this  case,  compromise  of  a  small  number  of  users 
(and,  collusion  among  them)  that  act  as  intermediate  users  can  severely  compromise  the  security. 


3 


Another  category  of  solutions  includes  solutions  where  intermediate  users  are  not  trusted.  Clearly,  in 
such  a  solution,  compromise  of  intermediate  users  (or  collusion  between  them)  does  not  affect  system 
security  as  long  as  the  communicating  users  share  a  secret  that  is  not  known  to  the  intermediate  users. 
Especially,  in  the  context  of  developing  collusion  resistant  protocols,  it  is,  therefore,  desirable  to  follow 
this  approach. 

Based  on  the  above  discussion,  we  focus  on  the  security  protocols  where  (1)  shared  secrets  are  used,  (2) 
a  trusted  server  is  not  available  when  two  users  communicate  (such  a  trusted  server  could  exist  for  users 
to  obtain  their  shared  secrets  in  an  offline  manner),  and  (3)  intermediate  nodes  are  only  trusted  as  far 
as  routing  is  concerned.  They  should  not  be  able  to  decrypt  any  communication  they  are  forwarding. 
One  such  protocol  is  the  square  grid  protocol  from  [1],  Since  our  proposed  family  of  collusion  resistant 
protocols  is  based  on  this  protocol,  we  recall  this  protocol,  next. 

2.1  The  Square  Grid  Protocol 

In  this  section,  we  recall  the  square  grid  protocol  [1]  for  instantiating  security.  In  this  protocol,  n  users 
are  arranged  in  a  logical  square  grid  of  size  \Jn  x  y/n.  Each  location,  (i,j),  0  <  i,j  <  y/n,  in  the  grid  is 
associated  with  a  user  u^j\  and  a  grid  secret  k(i,j)  •  Each  user  knows  all  the  grid  secrets  that  are  along 
its  row  and  column.  For  example,  in  Figure  1,  the  grid  secret  associated  with  (1, 1)  is  known  to  users 
at  locations  (j,  1),  (1  ,j),  0  <  j  <  3.  (One  small  optimization  of  this  protocol  is  that  user  uuj\  need  not 
maintain  kujy  However,  for  simplicity,  in  this  paper,  we  ignore  this  optimization.)  Additionally,  each 
user  maintains  a  direct  secret  with  users  in  its  row  and  column.  This  direct  secret  is  not  known  to  any 
other  user.  For  example,  user  iqlj2\  shares  a  direct  secret  with  user,  v,( lj3),  which  is  located  in  the  same 
row  (cf.  Figure  1). 


Figure  1:  Single  grid  protocol:  A  node  marked  (j,k)  is  associated  with  user  and  grid  secret  k(jj.\ 


4 


Now,  consider  the  case  where  a  user  A  wants  to  send  message  m  to  user  B.  Let  the  locations  of  A  and 
B  be  (ji,ki)  and  (j'2,^2)  respectively.  In  this  case,  A  encrypts  m  using  the  following  secret  selection 
protocol  and  sends  it  along  with  its  own  grid  location  (in  plain  text).  If  multiple  secrets  are  selected  by 
the  communicating  users  then  a  combination  of  those  secrets  (using  primitives  like  XOR  or  hash  functions 
like  MD5)  is  used  to  encrypt  the  message. 

If  (j'l  +  h  A  ki^k2)  //  Users  are  neither  in  same  row  nor  in  same  column 

Use  the  grid  secrets  k(jltk2\  and  k(j2^1\ 

Else  //  Users  are  in  the  same  row  or  column 

Use  the  direct  secret  between  and  u (j2,k2) 

Theorem  2.1  The  above  protocol  ensures  that  the  collection  of  secrets  used  by  two  communicating 
users  is  not  known  to  any  other  user  in  the  system.  Hence,  in  the  absence  of  collusion,  the  above  protocol 
can  be  used  for  providing  authentication  and  privacy,  (cf.  [1]  for  proof.)  q 

Remark.  Note  that  in  this  paper,  we  only  focus  on  the  issue  of  secret  distribution  and  secret  selection. 
Once  the  secret(s)  is  selected,  existing  approaches  can  be  used  to  provide  resistance  against  attacks  such 
replay  of  old  messages.  These  approaches  include  the  use  of  ‘time’  and/or  ‘nonces’, 

3  Defining  Collusion  Resistance  of  Security  Protocols 

In  this  section,  we  precisely  define  how  we  count  the  secrets  maintained  by  users  and  what  we  mean  by  a 
protocol  to  be  collusion  resistant.  We  are  interested  in  protocols  where  the  secrets  maintained  by  a  user 
are  independent,  i.e.,  even  if  an  attacker  knows  a  subset  of  the  secrets  that  a  user  has,  it  should  not  be 
possible  for  the  attacker  to  discover  the  other  secrets  that  user  has.  In  other  words,  the  knowledge  of  a 
subset  of  secrets  does  not  assist  the  attacker  in  identifying  the  remaining  secrets  through  cryptanalytic 
attacks.  Thus,  even  if  two  users  use  a  set  of  secrets  to  ensure  security  and  the  attacker  is  aware  of  all 
but  one  of  those  secrets,  the  attacker  cannot  compromise  that  communication. 

Furthermore,  to  compute  the  space  requirement  for  secrets,  we  count  all  secrets  that  are  need  to  be 
stored  by  the  user.  To  illustrate  this  issue,  consider  the  case  where  a  small  number,  say  x,  of  secrets  are 


5 


used  initially  to  generate  a  large  number,  say  y,  of  new  secrets  by  some  mathematical  manipulation  (e.g., 
using  those  in  evaluating  certain  polynomials)  of  the  original  secrets.  In  such  a  case,  if  these  y  secrets  are 
stored  by  the  user  then  the  space  requirement  for  this  case  is  y.  However,  if  these  secrets  are  computed 
on-the-fly  then  the  space  requirement  is  x. 

Our  intruder/attacker/colluder  model  is  as  follows: 

Intruder/ Attacker /Colluder  Model.  We  assume  the  standard  node-compromise  attacker  model 

(e.g.,  [10,11,13-15]).  If  a  user  has  been  compromised  by  an  attacker  then  it  can  utilize  all  the  secrets  that 
the  user  had.  It  can  do  so  either  passively,  i.e. ,  by  just  listening  to  messages  and  attempting  to  decrypt 
them  if  possible.  Or,  it  can  do  so  actively,  for  example,  it  can  attempt  to  impersonate  another  user.  The 
colluding  users  (attackers)  can  pool  together  their  secrets  in  order  to  break  communication  security. 
Also,  we  make  no  assumptions  about  mobility  in  the  network.  Thus,  the  users  may  be  mobile  or  static. 
We  only  assume  that  an  orthogonal  approach  is  used  to  route  messages  (even  in  the  presence  of  mobility) 
and  to  deal  with  denial  of  service  attacks.  In  other  words,  we  only  assume  that  any  message  sent  by 
legitimate  users  is  delivered  (even  if  users  are  mobile  or  the  system  is  subject  to  a  denial  of  service  attack). 
The  approaches  used  for  routing  or  for  dealing  with  denial  of  service  attacks  are  outside  the  scope  of  this 
paper. 

When  users  collude,  they  can  combine  the  secrets  they  know  in  order  to  compromise  communication 
among  the  remaining  users.  To  study  the  effect  of  such  collusion,  consider  a  system  with  n  users.  In  such 
a  system,  there  are  a  total  of  n{n  —  1)  pairs  of  communicating  users.  (For  simplicity,  we  consider  (j,  k) 
to  be  a  different  pair  than  ( k,j )).  Hence,  when  a  set  of  users  collude,  some  of  these  pairs  can  no  longer 
communicate  securely,  as  all  the  secrets  they  use  for  achieving  security  are  known  to  the  colluding  users. 
For  example,  in  Figure  1,  if  users  U(0,o)  and  u(i,i)  collude  then  users  «(2,o)  cannot  communicate  securely 
with  u/3ji\.  Our  definition  of  collusion  resistance  is  based  on  the  effect  of  the  collusion  on  these  pairs. 
First,  we  consider  two  such  plausible  definitions,  and  argue  that  they  are  inappropriate  because  either 
they  do  not  capture  the  true  collusion  resistance  of  the  protocol  or  they  are  difficult  to  use. 

Attempt  1:  A  protocol  is  collusion  resistant  to  x  users  if  at  least  one  pair  of  users  can  communicate 
securely  even  if  any  subset  of  x  users  collude. 

This  definition  is  inappropriate  for  the  following  reason:  Consider  any  secret  distribution  protocol  for 


6 


users  1 . . .  n.  Without  loss  of  generality,  let  n  be  even.  In  this  protocol,  add  an  additional  secret  between 
(1,2),  (3,4),  ...,  (n  —  1  ,n).  With  such  modification,  if  the  number  of  colluding  users  is  less  than  n/2 
then  at  least  one  pair  of  users  can  communicate  securely.  Thus,  if  we  were  to  use  the  above  definition 
then  the  protocol  will  be  collusion  resistant  to  n/2  users.  Since  this  modification  involves  addition  of 
one  secret  to  each  user,  any  secret  distribution  protocol  can  be  trivially  modified  to  get  resistance  to 
n/2  colluding  users.  In  other  words,  the  above  definition  fails  to  identify  the  true  collusion  resistance  of 
different  protocols.  Therefore,  the  definition  of  collusion  resistance  should  require  a  ‘significant  number’ 
of  pairs  to  be  unaffected.  Hence,  we  consider  the  following  definition. 

Attempt  2:  A  protocol  is  collusion  resistant  to  x  users  if  at  least  half  of  the  pairs  of  users  can  commu¬ 
nicate  securely  even  if  any  subset  of  x  users  collude. 

Although  this  definition  does  allow  one  to  distinguish  between  collusion  resistance  of  different  protocols, 
the  choice  of  half  is  arbitrary.  Moreover,  using  this  definition,  it  may  be  difficult  to  compute  the  collusion 
resistance  of  a  particular  protocol.  Also,  the  collusion  resistance  varies  widely  if  we  change  the  requirement 
about  the  percentage  of  unaffected  pairs. 

Yet  another  problem  with  the  above  definition  is  that  it  does  not  allow  us  to  identify  the  trend  in  the 
effect  of  collusion.  Specifically,  as  the  number  of  users  in  a  system  grows,  it  is  desirable  that  the  number 
of  colluding  users  required  to  inflict  the  same  disruption,  computed  in  terms  of  the  percentage  of  pairs 
affected,  should  also  increase.  Therefore,  the  definition  of  collusion  resistance  should  be  such  that  we  can 
say  ‘a  protocol  is  collusion  resistant  to  /(n)  users  if  n  is  the  total  number  of  users  in  the  system’.  With 
this  intuition,  we  now  define  the  notion  of  a  collusion  resistance  function. 

Definition.  A  function  ^  :  N  i — >  N,  is  a  collusion  resistance  function  for  a  protocol  SA  iff 

NumUnAf fected(n^(n))  ^  n 
lim^oo  Total  Pair  s(n)  >  U’ 

where,  NumUnAf  fectedfn^in))  =  the  minimum  number  of  pairs  in  a  system  of  n  users  that  can 

communicate  securely  even  if  any  subset  of^^n)  collude  and 
TotalPairs(n)  =  All  possible  pairs  in  a  system  with  n  users  =n(n  —  1) 

□ 

Definition.  We  say  that  a  protocol  &  with  n  users  is  collusion  resistant  to  c(o{ n )  users  iff  is  a 
collusion  resistance  function  of  & .  □ 


7 


Remark.  Note  that,  NumUTc!tafpairs(n)‘^('n^  always  in  the  range  [0,1].  Thus,  the  above  definition 
requires  that  as  the  system  size  increases  the  ratio  converges  to  a  non-zero  constant.  A  reader  may 
wonder  if  we  could  have  defined  that  a  protocol  is  collusion  resistant  to  ^(n)  users  if  the  number  of 
affected  pairs  is  insignificant,  i.e. ,  linin^oo  NumUT^ta/pairs(n)  ^  =  1-  We  note  that  such  a  definition 
would  be  viable.  We  consider  this  issue  after  identifying  the  collusion  resistance  of  the  square  grid 
protocol. 

Example:  Collusion  resistance  of  the  square  grid  protocol.  Observe  that,  in  the  square  grid 
protocol  in  [1],  the  worst  case  disruption  due  to  collusion  occurs  if  the  colluding  users  are  in  different 
rows  and  different  columns.  Moreover,  without  loss  of  generality,  the  grid  locations  of  such  colluding 
users  can  be  renamed  so  that  they  he  along  the  diagonal  of  the  square  grid  as  such  renaming  does  not 
affect  the  nature  of  secrets  known  to  the  colluding  users.  Thus,  if  r  users  collude,  we  can  assume  that 
they  are  at  locations,  (0, 0),  (1,1)  ...  (r  —  1,  r  —  1),  along  the  diagonal. 


CD  ►  Colluding  Users 

Figure  2:  Effect  of  Collusion  on  Grid  Protocol 


Now,  we  show  that  the  function,  c€{ [n )  =  [-^J  is  a  collusion  resistance  function  for  the  square  grid 
protocol.  To  verify  this,  consider  the  case  where  the  first  [-^J  users  along  the  diagonal  collude  (cf. 
Figure  2).  The  grid  secrets  of  users  in  the  top  [-^J  rows  and  left  [-^J  columns  are  compromised. 
However,  the  users  in  the  lower  right  quadrant  (cf.  Figure  2)  are  not  affected  if  they  communicate  within 
themselves.  Since  the  number  of  users  that  are  not  affected  is  at  least  j,  the  number  of  unaffected  pairs 
is  at  least  f  .(f  —  1).  Now, 


1  inn  rM _ tl  —  _L  f) 

umn^> oo  (  —  16  ->  u 


From  the  above  result,  'if(n)  =  L-Cj  is  a  collusion  resistance  function  of  the  square  grid  protocol.  In 


general,  a  function  c.y/n  is  a  collusion  resistance  function  for  the  square  grid  protocol  if  0  <  c  <  1. 
Moreover,  1  .y/n  is  not  a  collusion  resistance  function  because  if  all  sjn.  users  along  the  diagonal  collude 
then,  all  the  grid  secrets  are  compromised.  Thus,  a  user  is  able  to  communicate  securely  only  with  those 
users  with  which  it  maintains  a  direct  secret.  In  other  words,  users  will  be  able  to  communicate  securely 
with  users  in  their  rows  and  columns.  Each  row  (column)  has  yfn  users.  Hence,  the  number  of  pairs  in  a 
row  are  at  most  n.  Since  there  are  \fn  rows  and  \fn  columns,  the  number  of  unaffected  pairs  is  atmost, 
2 riy/n.  And, 


2riy/n 


=  limr 


Remark.  If  we  had  used  the  definition  ‘a  protocol  is  collusion  resistant  to  (n)  users  if  the  number 
of  affected  pairs  is  insignificant,  i.e.,  limn^.0O  NumUT^ta/pairs(n)  =  ^  then  it  could  be  shown  that  the 
grid  protocol  is  collusion  resistant  to  users  where  e  is  any  positive  number.  We  leave  this  proof 


as  an  exercise  to  the  reader.  Therefore,  the  conclusion  reached  about  the  collusion  resistance  of  the  grid 
protocol  is  essentially  the  same  as  that  reached  with  our  definition.  We  note  that  this  observation  is  true 
for  all  the  protocols  considered  in  this  paper. 


4  Collusion  Resistance  Classes 


Based  on  the  above  discussion  of  the  grid  protocol,  we  now  define,  along  the  lines  of  complexity  classes 
for  algorithms,  the  notion  of  collusion  resistance  class. 

Definition.  Or(f(n ))  is  the  set  of  key  distribution  protocols  for  which  c.f(n )  is  a  collusion  resistance 

function  for  some  (positive)  value  of  c.  In  other  words, 

Or(/(n))  =  {P  |  3c  :  c  >  0  :  c./(n)  is  a  collusion  resistance  function  of  P  }  q 

Definition.  flr(/(n))  is  the  set  of  key  distribution  protocols  for  which  c.f(n)  is  not  a  collusion 

resistance  function  for  some  (positive)  value  of  c.  In  other  words, 

flr(/(n))  =  {P  |  3c:  c>  0  :  c./(n)  is  not  a  collusion  resistance  function  of  P  }  □ 

Definition.  0r(/(n))  is  the  set  of  key  distribution  protocols  that  are  both  in  Or(f(n))  and  £lr(f(n)). 

In  other  words, 


@r(/(n))  =  Or(/(n))nflr(/(n)). 


9 


Now,  based  on  these  definitions  and  the  above  discussion  about  the  square  grid  protocol,  we  have: 
Observation  4.0  Given  e  and  5  such  that  0  <  e>  <  e,  we  have 

•  Or(ne )  C  Or(ns ) 

•  flr(n5)  C  flr(ne) 

Theorem  4.1  The  square  grid  protocol  G  @r(y/n).  □ 

Remark.  Although  the  above  definitions  are  modeled  along  the  complexity  classes  for  algorithms, 
not  all  results  about  complexity  classes  may  apply  in  this  context  and  vice  versa.  For  example,  above 
definitions  are  meaningful  only  if  f(n)  linear  or  a  slower  growing  function.  Also,  since  f(n)  =  n  is  not 
a  collusion  resistance  function  for  any  protocol  (because  if  all  users  collude  then  none  can  communicate 
securely),  fir(n)  consists  of  all  key  distribution  protocols. 

Example:  Collusion  resistance  of  the  full  secret  protocol.  Now,  we  describe  the  full  secret 
protocol  and  its  collusion  resistance.  In  this  protocol,  there  is  a  unique  secret  associated  with  every  pair 
of  users.  Thus,  for  a  system  of  n  users,  each  user  maintains  n  —  1  secrets. 

The  function  ^(n)  =  |_§J  is  a  collusion  resistance  function  for  the  full  secret  protocol.  To  verify  this, 
we  note  that  the  pairwise  secrets  shared  by  the  remaining  [~^~|  users  are  not  compromised  due  to  the 
collusion.  Thus,  the  number  of  pairs  that  are  unaffected  due  to  collusion  is  at  least  §•(§  —  1).  Now, 

-  ("--ll  i 

limn-> oo  2n _£_i)  =  3  >  0 

From  this  result,  we  note  that,  ^(n)  =  |_§ J ,  is  a  collusion  resistance  function  for  the  full  secret  protocol. 
Thus,  we  have, 

Theorem  4.2  The  full  secret  protocol  G  ©r(n). 

Tradeoff  between  number  of  secrets  and  collusion  resistance.  The  full  secret  protocol  is  in 
@r(n)  and  requires  each  user  to  store  @(n)  secrets.  The  collusion  resistance  provided  by  the  full  secret 
protocol  is,  in  some  sense,  the  maximum  collusion  resistance  offered  by  any  security  protocol.  However, 
this  protocol  also  requires  the  users  to  store  the  maximum  number  of  secrets.  On  the  other  hand,  the 
square  grid  protocol  is  in  ©r(y /n)  and  requires  each  user  to  store  Q(y/n)  secrets.  The  number  of  secrets 
stored  by  a  user  in  the  square  grid  protocol  (cf.  [1])  is  within  a  factor  of  the  minimum  number  of  secrets 


10 


that  need  to  be  stored  in  any  security  protocol  that  guarantees  authentication  and  privacy  in  the  absence 
of  collusion.  However,  the  collusion  resistance  provided  by  the  square  grid  protocol  is  also  lower  than  the 
full  secret  protocol. 

Now,  consider  the  following  question:  Is  it  possible  to  identify  a  family  of  protocols  that  provide  a 
tradeoff  between  the  number  of  secrets  that  users  maintain  and  collusion  resistance.  Specifically,  are 
there  protocols  in  Qr(ns),  1/2  <  5  <  1,  where  the  number  of  secrets  maintained  by  users  is  0(ne), 
1/2  <  e  <  1.  Our  approach  to  identify  this  family  is  based  on  variations  of  the  square  grid  protocol. 
We  consider  two  variations  of  the  square  grid  protocol  in  Section  5  and  show  that  they  cannot  be  used 
to  identify  such  a  family.  Then,  in  Section  6  we  present  the  family  of  protocols  that  achieves  the  above 
requirements. 


5  Identifying  Constraints  on  Family  of  Collusion  Resistant  Protocols 

In  this  section,  we  consider  two  variations  of  the  square  grid  protocol.  While  these  variations  fail  to 
identify  the  desired  family  of  collusion  resistant  protocols,  they  identify  two  of  the  desired  properties,  (1) 
need  to  use  2D  grids  instead  of  higher  dimensional  grids,  and  (2)  need  to  use  symmetric  grids  where  the 
number  of  users  in  a  row  is  (approximately)  the  same  as  that  in  column,  that  should  be  met  by  protocols 
in  this  family.  Hence,  a  reader  who  is  willing  to  take  these  properties  for  granted  can  skip  this  section. 

Grid  Protocol  for  Higher  Dimensions.  In  the  context  of  higher  dimensional  grid,  we  consider 
3D  grids.  Each  location  ( i,j,k ),  0  <  i,j,  k  <  n1/3,  is  associated  with  a  user  and  a  grid  secret 

k/i.jjA  ■  Each  user  gets  the  grid  secrets  associated  with  the  (3)  planes  it  is  in.  2  Also,  the  user  maintains 
a  direct  secret  with  users  in  its  planes.  Thus,  the  number  of  secrets  maintained  by  the  user  is  0(n2/3). 

2  A  reader  may  wonder  if  we  could  have  allowed  a  user  to  only  maintain  the  grid  secrets  in  the  (3)  lines  (instead  of  planes) 
it  is  in.  With  such  an  approach,  we  could  reduce  the  number  of  secrets  to  rW3 .  However,  with  this  approach,  it  is  not 
possible  for  all  users  to  communicate  securely  even  in  the  absence  of  collusion.  Specifically,  consider  users  located  at  (0,  0,  0) 
and  (1, 1, 1).  The  former  maintains  secrets  of  the  form  (0,  0,  *),  (0,  *,  0),  (*,  0,  0)  and  the  latter  maintains  secrets  of  the  form 
(1, 1,  *),  (1,  *,  1),  (*,  1, 1).  Therefore,  they  have  no  common  secrets.  By  contrast,  when  they  maintain  secrets  in  their  planes, 
the  secrets  maintained  by  (0,  0,  0)  is  of  the  form  (0,  *,  *),  (*,  *,  0),  (*,  0,  *).  And,  the  secrets  maintained  by  (1, 1, 1)  is  of  the 
form,  (1,  *,  *},  (*,  *,  1),  (*,  1,  *).  Therefore,  they  have  common  secrets  that  they  can  use. 


11 


Now,  when  two  users  communicate,  if  they  are  in  the  same  plane,  they  use  the  direct  secret.  Otherwise, 
they  use  all  the  grid  secrets  shared  by  them.  Now,  consider  the  case  where  the  users  on  the  diagonal  of 


this  grid,  i.e.,  (0, 0,  0),  (1, 1,1),  ...  (n1/3  —  1,  n1/3  —  1,  n1/3  —  1),  collude.  Since  all  grid  secrets  are  thus 
compromised,  users  can  communicate  with  only  those  with  whom  they  maintain  direct  secrets.  In  other 
words,  a  user  can  communicate  securely  with  only  those  users  in  its  planes.  As  each  plane  has  n2/3  users, 
the  number  of  pairs  that  can  communicate  securely  is  atnrost,  n2/3.n2//3.  Since  there  are  3 n1/3  planes  in 
the  grid,  the  total  number  of  unaffected  pairs  is  atmost,  3 n1,/3.n2'/3.n2//3.  Now, 


,.  3  n1//3.n2/3.n2/3  ;■  1 

lvmn — >oc  n(n—  l)  —  IvtTln — >ao  TT 


=  0 


1  /3 

As  in  the  case  of  the  square  grid  protocol,  if  we  consider  that  users  on  the  diagonal  collude  then, 
we  have  at  least  n/8  users  who  can  communicate  securely  within  themselves.  Therefore,  similar  to  the 
square  grid  protocol,  we  can  show  that  is  a  collusion  resistance  function  for  the  3D  grid.  Thus, 
Theorem  5.1  The  3D  grid  protocol  £  ©^(n1/3).  q 

Moreover,  the  number  of  secrets  maintained  by  the  users  is  0(n2/3).  Thus,  the  collusion  resistance  of 
the  3D  grid  protocol  is  not  as  good  as  the  square  grid  protocol  even  though  it  requires  the  users  to  store 
more  secrets. 

Rectangular  Grid  Protocol.  Based  on  the  discussion  about  protocols  with  higher  dimensional  grid, 
it  is  clear  that  to  identify  a  family  of  collusion  resistant  protocols,  we  should  focus  on  2D  grids.  One 
variation  of  the  2D  grid  is  a  rectangular  grid  of  size  Zx6,  where  l  ^  b.  In  this  case,  the  number  of  users 
is  l.b.  The  square  grid  protocol  from  [1]  can  be  trivially  extended  to  such  rectangular  grids.  The  reason 
for  considering  such  protocols  comes  from  the  observation  that  if  b  =  1  then  this  protocol  is  identical  to 
the  full  secret  protocol.  Specifically,  if  b  =  1  then  all  users  are  in  a  single  row.  Hence,  there  are  no  grid 
secrets  and  there  is  a  direct  secret  between  every  pair  of  users. 

Now,  we  evaluate  the  collusion  resistance  of  such  a  protocol.  Without  loss  of  generality,  we  consider 
a  grid  with  l  >  b.  Consider  the  case  where  the  users  on  the  diagonal,  (0,0),  (1,1),  ...(b,b),  collude. 
Thus,  all  the  grid  secrets  are  compromised  and  a  user  can  communicate  securely  with  only  those  users 
with  which  it  maintains  a  direct  secret.  Thus,  secure  communication  is  possible  only  along  the  rows  and 
columns  of  the  rectangular  grid.  As  each  column  has  b  users  and  the  number  of  columns  is  l,  the  number 
of  unaffected  pairs  in  the  columns  is  atmost  l.b2.  Likewise,  the  number  of  unaffected  pairs  in  the  rows  is 


12 


atmost  b.l2.  Now, 

/  •  l.b2+l2.b  _  ]■  f  -k2  +  (f  )2-b  _  ]■  1 

u'nn->oo  n.(n_ i)  —  uilln-* oo  n.(n_i)  —  ll"ln-KX>b 

Thus,  if  b  is  0(1)  (i.e.,  independent  of  n)  then  the  above  limit  is  non-zero.  However,  if  &  is  of  the  form  /(n) 
where  limn^oof{n)  =  oo  then  the  above  limit  is  zero.  Thus,  the  above  protocol  is  collusion  resistant  to  b 
users  only  if  b  =  0(1).  Moreover,  since  l  >  b  then  the  collusion  resistance  of  the  rectangular  grid  protocol 
is  no  better  than  that  of  the  square  grid  protocol.  In  other  words,  to  identify  the  family  of  collusion 
resistant  protocols,  we  should  focus  on  protocols  where  the  number  of  users  in  a  row  is  (approximately) 
equal  to  the  number  of  users  in  a  column.  We  identify  such  a  protocol  family  in  Section  6. 

6  Proposed  Family  of  Collusion  Resistant  Protocols 

Based  on  our  discussion  in  Section  5,  to  identify  a  family  of  collusion  resistant  protocols,  we  should 
focus  on  2D  grids  where  the  number  of  users  in  a  row  is  approximately  the  same  as  that  in  a  column. 
With  this  intuition,  in  this  section,  we  propose  a  family  of  collusion  resistant  protocols  that  (1)  are  in 
©r(rT),  1/2  <  e  <  1,  (2)  maintain  0(ne),l/2  <  e  <  1,  secrets,  and  (3)  the  level  of  collusion  resistance 
is  proportional  to  the  number  of  secrets  that  users  maintain.  Specifically,  in  Section  6.1,  we  present  our 
diagonal  protocol  family  and  in  Section  6.2,  we  identify  its  collusion  resistance. 

6.1  Diagonal  Protocol  Family 

For  a  given  set  of  n  users,  a  protocol  in  this  family  arranges  these  users  in  a  grid  of  size  kxk,  where 
k  >  \fn.  The  value  used  to  instantiate  k  identifies  different  members  in  this  family.  Similar  to  the  square 
grid  protocol,  each  grid  location  (i,j)  is  associated  with  a  grid  secret,  k^jy  However,  as  there  are  more 
grid  locations  than  users,  some  grid  locations  are  not  associated  with  users.  We  assign  the  users  to  grid 
locations  along  the  diagonal.  First,  we  arrange  k  users  along  the  diagonal,  i.e.,  these  users  are  at  locations 
(x,y)  where  (x  —  y)  =  0  mod  k.  Then,  another  k  users  are  assigned  to  grid  locations  ( x,y ),  where, 
(x  —  y)  =  1  mod  k.  We  continue  assigning  the  remaining  users,  to  grid  locations,  {x  —  y)  =  2  mod  k , 
(x  —  y)  =  3  mod  k ,  and  so  on,  until  all  the  users  are  assigned  a  grid  location,  (cf.  Figure  3  where  36 
users  are  arranged  in  a  8x8  grid).  Observe  that  with  such  assignment,  the  number  of  users  in  a  row  is 


13 


approximately  the  same  as  the  number  of  users  in  a  column. 

The  secret  distribution  is  identical  to  that  of  the  square  grid  protocol.  Specifically,  a  user  gets  the  grid 
secrets  in  its  row  and  in  its  column.  And,  each  user  shares  a  direct  secret  with  users  in  its  row  and 
column.  Moreover,  the  secret  selection  protocol  is  the  same  as  that  of  the  square  grid  protocol  (recalled 
in  Section  2.1).  Now,  we  show  that  by  appropriate  instantiation  of  k,  we  can  obtain  the  square  grid 
protocol  and  the  full  secret  protocol. 


•  — -  Grid  locations  with  users 


Figure  3:  User  assignment  in  the  diagonal  protocol 

Obtaining  the  square  grid  protocol.  If  we  instantiate  k  =  \fn  in  the  diagonal  protocol  family  then 
all  grid  locations  will  be  associated  with  users.  Thus,  the  resulting  protocol  is  the  same  as  the  square 
grid  protocol.  q 

Obtaining  the  full  secret  protocol.  If  we  instantiate  k  =  n  in  the  diagonal  protocol  family  then  all 
users  will  be  arranged  along  the  diagonal.  Thus,  no  direct  secrets  are  maintained  and  each  user  maintains 
2(n  —  1)  grid  secrets.  Consider  the  secrets  maintained  by  a  user,  say  at  location  (j,  j) .  When  this  user 
communicates  with  a  user  at  location  (1,1),  it  uses  secrets  at  locations  (j.  1)  and  ( l,j ).  Observe  that 
while  communicating  with  any  other  user,  (j,  j)  (respectively,  (1,1))  uses  neither  of  these  secrets.  Hence, 
instead  of  maintaining  the  secrets  at  locations  (j,  l)  and  (l,  j),  the  user  at  locations  (j,  j)  (respectively, 
(1,1))  can  only  maintain  a  combination  of  these  secrets.  With  this  revision,  the  protocol  is  the  same  as 
the  full  secret  protocol. 

Remark.  In  the  subsequent  discussion,  for  brevity,  we  use  the  term  ‘a  diagonal  protocol’  to  mean  ‘a 
member  in  the  diagonal  protocol  family’. 


14 


6.2  Collusion  Resistance  of  Diagonal  Protocol 


In  the  diagonal  protocol,  if  kxk  grid  is  used  for  a  group  of  n  users  then  users  will  be  assigned  to  locations 
(x,y)  where  x  —  y  =  w  mod  k,  where  0  <  w  <  \n/k~\.  For  simplicity,  we  assume  that  n/k  is  an  integer  and 
ignore  the  fact  that  some  locations  where  x  —  y  =  \n/k]  —  1  mod  k  are  not  associated  with  users.  This 
assumption  is  reasonable  as  we  are  interested  in  asymptotic  behavior  of  the  protocol  while  computing  its 
collusion  resistance. 

Now,  we  consider  the  collusion  resistance  of  such  a  protocol.  Similar  to  the  protocol  in  [1],  the  colluding 
users  cause  the  maximum  disruption  when  they  are  in  different  rows  and  columns.  Hence,  without  loss 
of  generality,  we  can  assume  that  if  there  are  r  colluding  users  then  they  are  at  locations  (0,0),  (1, 1) 

. . .  (r  —  1,  r  —  1),  along  the  diagonal. 

We  consider  the  case  where  there  are  k/2  colluding  users.  Similar  to  our  discussion  in  3,  we  can  see 
that  that  the  users  in  the  lower  right  quadrant  can  communicate  securely  within  themselves.  Now,  we 
compute  the  number  of  users  in  this  quadrant.  The  users  in  the  lower  right  quadrant  are  at  locations 
(x,y)  where  x  >  k/2  and  y  >  k/2.  The  number  of  such  users  where  x  —  y  =  0  mod  k  is  k/2.  Also,  the 
number  of  such  users  where  x  —  y  =  1  mod  k  is  k/2  —  1,  and  so  on.  Thus,  the  number  of  users  in  the 
lower  right  quadrant  is: 

k/2  +  (k/2  —  1)  +  ...  +  ( k/2  —  n/k  +  1) 

>  (k/2  —  n/k)  *  n/k 

>  n/2  —  n/(k2) 

Now,  if  k  =  ne  where  1/2  <  e  <  1  then  n/(k2)  is  o(n).  Therefore,  the  number  of  users  in  the  lower 
quadrant  is  n/2  -  o(n).  Thus,  if  k  =  ne  where  1/2  <  e  <  1  then  the  number  of  users  in  the  lower  quadrant 
is  0(n).  And,  the  number  of  unaffected  pairs  is  0(n2).  It  follows  that  the  diagonal  protocol  with  a  fexfc 
grid  is  resistant  to  collusion  of  k/2  users. 

Furthermore  if  all  k  users  along  the  diagonal  collude  then  all  grid  secrets  are  compromised.  Thus,  a  user 
can  securely  communicate  with  only  users  in  its  row/colunm.  There  are  n/k  users  in  each  row/column. 
And,  there  are  k  rows  and  columns.  Hence,  the  number  of  unaffected  pairs  is  at  most  2 k(n/k)2.  If 
k  =  ne  then  the  number  of  unaffected  pairs  is  atrnost  2 (n2~e).  It  follows  that  the  diagonal  protocol  is 
not  collusion  resistant  to  k  users. 


15 


Based  on  the  above  discussion,  we  have: 

Theorem  6.1  The  diagonal  protocol  with  a  ne  x  ne  grid  €  0r(n€).  □ 

Thus,  the  diagonal  protocol  family  consists  of  protocols  (one  for  each  value  of  e)  such  that  the  number 
of  secrets  maintained  by  users  in  these  protocols  are  proportional  to  the  collusion  resistance  provided  by 
them. 

7  Performance  Analysis 

In  this  section,  we  compare  the  collusion  resistance  of  different  protocols  in  the  diagonal  protocol  family. 
Specifically,  we  consider  the  protocols  in  the  diagonal  protocol  family  where  the  grid  size  is  kxk,  where 
k  is  either  s/n,n2^3  ,  n3/4  or  n4/5.  Of  these,  k  =  \fn  corresponds  to  the  protocol  from  [1],  We  compare 
collusion  resistance  of  these  protocols  in  two  cases  (1)  where  the  colluding  users  are  selected  in  such  a 
way  that  they  cause  the  maximum  number  of  user  pairs  to  be  affected,  and  (2)  where  colluding  users  are 
selected  randomly.  The  former  corresponds  to  the  case  where  colluding  users  can  select  their  grid  locations 
whereas  in  the  latter  corresponds  to  the  case  where  the  colluding  users  do  not  have  such  capability. 

In  these  simulations,  we  also  consider  a  randomized  version  of  the  protocol  family  from  Section  6.  To 
compare  this  with  the  diagonal  protocol  family,  observe  that  in  a  diagonal  protocol,  deterministic  ap¬ 
proach  is  used  to  ensure  that  the  number  of  users  in  a  row  is  approximately  equal  to  the  number  of 
users  is  a  column.  An  alternative  approach  is  to  assign  grid  locations  to  users  randomly  with  uniform 
probability.  With  such  an  approach,  the  expected  number  of  users  in  a  row  is  the  same  as  the  expected 
number  of  users  in  a  column.  Hence,  it  is  expected  that  such  a  protocol  can  be  used  in  identifying  a  family 
of  collusion  resistant  protocols.  Unfortunately,  in  this  protocol,  it  is  difficult  to  identify  the  worst-case 
disruption  that  can  occur  due  to  colluding  users.  For  this  reason,  in  this  protocol,  we  consider  the  case 
where  a  random  collection  of  users  is  selected  to  collude.  For  this  protocol,  we  only  consider  the  case 
where  the  colluding  users  are  selected  randomly. 

In  the  following  simulation  results,  the  term  ‘Grid’  denotes  the  protocol  in  [1]  (also  equivalent  to  the 
diagonal  protocol  with  k  =  \/n).  The  term  ‘Diagonal  k  =  ne’  denotes  the  diagonal  protocol  with  nexne 
grid  where  colluding  users  are  selected  along  the  diagonal.  And,  as  discussed  in  Section  3,  this  causes 


16 


maximum  user  pairs  to  be  affected.  The  term  ‘Random’  denotes  the  above  random  distribution  of  users 
where  colluding  users  are  selected  at  random.  Finally,  the  term  ‘Diagonal  k  =  ne  with  random  collusion’ 
denotes  the  diagonal  protocol  with  nexne  grid  where  colluding  users  are  selected  randomly.  For  the 
experiments  with  random  collusion,  we  repeated  the  simulation  five  times  and  took  the  average  of  these 
simulations.  For  other  experiments,  repetition  is  not  required  as  the  calculation  is  deterministic. 

In  Figures  4(a),  (b)  and  (c),  respectively,  we  show  the  effect  of,  5,  10  and  20  colluding  users.  From 
these  figures,  we  see  that,  as  the  number  of  users  increases,  the  number  of  affected  pairs  in  the  diagonal 
protocol  with  k  =  n 2/3  is  less  than  that  in  the  grid  protocol.  The  percentage  of  user  pairs  affected  due 
to  random  collusion  is  slightly  less  than  the  case  where  colluding  users  are  along  the  diagonal.  This 
is  due  to  the  fact  that  with  some  random  colluding  users,  some  of  the  colluding  users  are  in  the  same 
row/column.  Moreover,  even  with  random  colluding  users,  the  diagonal  protocol  provides  slightly  better 
collusion  resistance  when  compared  to  the  case  where  users  are  randomly  distributed  in  the  grid.  In 
other  words,  even  if  the  colluding  users  were  to  be  selected  at  random,  it  is  beneficial  to  arrange  the  users 
deterministically. 


Effect  of  Collusion  for  5  Colluding  Users  Effect  of  Collusion  for  1 0  Colluding  Users  Effect  of  Collusion  for  20  Colluding  Users 


(a)  (b)  (c) 


Figure  4:  Effect  of  collusion  on  various  protocols,  (a)  5  colluding  users  (b)  10  colluding  users  and  (c)  20 
colluding  users 

Figure  5  compares  collusion  resistance  of  different  protocols  in  the  diagonal  protocol  family.  When  users 
are  arranged  in  a  nfxne  grid,  the  number  of  pairs  affected  due  to  collusion  decreases  as  the  value  of 
e  increases.  Thus,  the  level  of  collusion  resistance  is  proportional  to  the  number  of  secrets  that  users 
maintain. 


17 


Effect  of  Collusion  for  5  Colluding  Users 


Effect  of  Collusion  for  10  Colluding  Users 


Effect  of  Collusion  for  20  Colluding  Users 


(a)  (b)  (c) 


Figure  5:  Collusion  in  diagonal  protocol  for  different  k  values,  (a)  5  colluding  users  (b)  10  colluding  users 
and  (c)  20  colluding  users 


Finally,  Figure  6  evaluates  the  effect  of  different  collusion  resistance  functions  for  the  protocols  in  the 
diagonal  protocol  family.  Based  on  the  discussion  in  Section  6,  for  a  diagonal  protocol  with  n£xne  grid, 
c.ne  is  a  collusion  resistance  function  if  c  <  1.  We  consider  the  number  of  affected  user  pairs  for  the 
case  where  c  equals  1/2, 1/3,  ...,  1/6.  As  shown  in  Figure  6,  the  number  of  user  pairs  affected  reaches 
a  constant  as  the  number  of  users  is  increased.  This  validates  the  expected  result  that  in  a  diagonal 
protocol  with  n€xne  grid,  the  percentage  of  pairs  unaffected  by  collusion  reach  a  non-zero  limit  if  the 
number  of  colluding  users  is  c.ne  where  c  <  1. 


Diagonal  protocol  with  k=n2/3,  number  of  colluding  users=k/2,3,4,5,6 


Diagonal  protocol  with  k=n3/4,  colluding  users=k/2,3,4,5,6 


Number  of  Total  Users 


(a) 


(b) 


Diagonal  protocol  with  k=n4/5,  colluding  users=k/2,3,4,5,6 


Number  of  Total  Users 


(c) 


Figure  6:  Collusion  in  diagonal  protocol  for  k/X  colluding  users,  (a)  k 


n2/3  (b)  k 


n3/4  (c)  k  =  ro4/5 


18 


8  Conclusion 


In  this  paper,  we  presented  a  family  of  collusion  resistant  protocols,  the  diagonal  protocol  family,  where 
the  level  of  collusion  resistance  is  proportional  to  the  number  of  secrets  that  users  maintain.  The  proposed 
protocol  family  is  based  on  the  square  grid  protocol  from  [1],  We  showed  that  other  variations  of  this 
protocol,  however,  failed  to  identify  the  family  of  collusion  resistant  protocols. 

We  defined  the  notion  of  collusion  resistance  classes.  We  showed  that  these  collusion  resistance  classes 
could  be  effectively  used  to  compare  the  collusion  resistance  of  different  protocols.  We  identified  the 
collusion  resistance  of  existing  protocols  as  well  as  the  protocols  in  the  proposed  family  for  membership 
in  these  families.  We  also  validated  these  results  through  simulation.  Specifically,  we  showed  that  given 
a  collusion  resistance  function  'if(n)  of  a  protocol,  the  percentage  of  unaffected  pairs  due  to  collusion  of 
n )  users  in  a  system  of  n  users  is  unchanged  as  the  number  of  users  is  increased. 

To  improve  the  security  further  and  to  reduce  the  window  of  vulnerability  while  using  the  diagonal 
protocol  family,  users  should  use  their  initial  secrets  to  establish  a  new  disposable  secret  and  use  that 
new  secret  during  further  communication.  With  such  a  change,  security  can  be  compromised  only  if  the 
adversary  can  eavesdrop  during  the  establishment  of  the  new  secret. 

For  reasons  of  space,  we  did  not  discuss  how  the  user  obtains  the  initial  secrets  as  this  issue  is  orthogonal 
to  the  issue  of  what  secrets  a  user  should  get.  A  user  may  obtain  these  initial  secrets  in  several  ways, 
e.g.,  a  user  may  obtain  these  secrets  by  initially  visiting  (respectively,  periodically  revisiting)  a  trusted 
server.  Also,  the  problem  we  discussed  is  orthogonal  to  the  issue  of  secret  maintenance  [16],  where  users 
change  their  secrets  periodically  to  thwart  cryptanalytic  attacks. 

One  of  the  open  questions  from  this  work  is  the  optimality  of  the  number  of  secrets  maintained  in  order 
to  provide  the  required  level  of  collusion  resistance.  In  the  proposed  diagonal  protocol  family,  if  0(ne) 
secrets  are  maintained  then  the  resulting  protocol  is  in  0r(ne).  For  e  =  1/2  (where  we  obtain  the  protocol 
from  [1],  the  number  of  secrets  maintained  is  within  a  constant  factor  of  the  optimal.  Also,  for  e  =  1,  the 
number  of  secrets  maintained  by  user  is  within  a  constant  factor  of  optimal.  However,  the  optimality  is 
not  known  for  intermediate  values. 


19 


References 

[1]  Sandeep  S.  Kulkarni,  Mohamed  G.  Gouda,  and  Anish  Arora.  Security  instantiation  in  ad-hoc  networks.  In 
Workshop  on  Dependability  Issues  in  Wireless  Ad  Hoc  Networks  and  Sensor  Networks  (DIWANS),  Florence, 
Italy,  June  2004. 

[2]  J.  Kong,  P.  Zefros,  H.  Luo,  S.  Lu,  and  L.  Zhang.  Providing  probust  and  ubiqutious  security  support  for  mobile 
ad-hoc  networks.  IEEE  International  Conference  on  Network  Protocols,  2001. 

[3]  J.  Hubaux,  L.  Buttyan,  and  S.  Capkun.  The  quest  for  security  in  mobile  ad-hoc  networks.  ACM  Symposium 
on  Mobile  Ad  Hoc  Networking  &  Computing ,  2001. 

[4]  L.  Zhou  and  Z.  Haas.  Securing  ad  hoc  networks.  IEEE  Network,  13(6),  1999. 

[5]  A.  Perrig,  R.  Szewczyk,  J.  Tyger,  V.  Wen,  and  D.  Culler.  Spins:  Security  protocols  for  sensor  networks. 
Wireless  Networks,  8:521-534,  2002. 

[6]  M.  Tatebayashi,  N.  Matsuzaki,  and  D.B.  Newman  Jr.  Key  distribution  protocol  for  digital  mobile  communi¬ 
cations  systems.  Advances  in  Cryptology,  1990. 

[7]  V.  Varadlrarajan  and  Y.  Mu.  Design  of  secure  end-to-end  protocols  for  mobile  systems.  Wireless,  1996. 

[8]  R.  Needham  and  M.  Schroeder.  Using  encryption  for  authentication  in  large  networks  of  computers.  Commu¬ 
nications  of  ACM,  21:993-999,  1978. 

[9]  A.  Perrig,  R.  Szewczyk,  V.  Wen,  D.  Culler,  and  J.  Tyger.  Spins:  Security  protocols  for  sensor  networks. 
International  Conference  on  Mobile  Computing  and  Networks,  pages  189-199,  2001. 

[10]  H.  Chan,  A.  Perrig,  and  D.  Song.  Random  key  predistribution  schemes  for  sensor  networks.  IEEE  Symposium 
on  Security  and  Privacy,  2003. 

[11]  L.  Eschenauer  and  V.  Gilgor.  A  key  management  scheme  for  distributed  sensor  networks.  ACM  Conference 
on  Computer  and  Communications  Security  (CCS),  pages  41-47,  2002. 

[12]  W.  Du,  J.  Deng,  Y.  Han,  and  P.  Varshney.  A  pairwise  key  pre-distribution  scheme  for  wireless  sensor  networks. 
ACM  Conference  on  Computer  and  Communications  Security  (CCS),  pages  42-51,  2003. 

[13]  D.  Liu  and  P.  Ning.  Establishing  pairwise  keys  in  distributed  sensor  networks.  ACM  Conference  on  Computer 
and  Communications  Security  (CCS),  pages  52-61,  2003. 

[14]  R.  Blorn.  Non-public  key  distribution.  Advances  in  Cryptology:  Crypto,  pages  231  -236,  1982. 

[15]  C.  Blundo,  A.  De  Santis,  A.  Herzberg,  S.  Kutten,  U.  Vaccaro,  and  M.  Yung.  Perfectly  secure  key  distribution 
for  dynamic  conferences.  Advances  in  Cryptology,  pages  344-355,  1992. 

[16]  V.  Naik,  S.  Bapat,  A.  Arora,  and  M.  Gouda.  Whisper:  Local  secret  maintenance  in  sensor  networks.  Workshop 
on  Principles  of  Dependable  Systems,  2003. 


20 


